Revolutionary new cryptography tool could make software unhackable

This site may earn affiliate commissions from the links on this page. Terms of use.

A team of researchers from IBM and Microsoft may have just made a breakthrough in the quest for unbreakable cryptography. The results produced by the team from UCLA and MIT offer hope that encryption could protect not just an output, but an entire program. Once believed to be too powerful to exist in any real sense, this new method of program obfuscation could lead to ultra-secure software that keeps your personal information safe from nefarious individuals.

The idea of obfuscating a program has been around for decades — software companies have tried all sorts of methods to distort their code in order to prevent others from seeing how it worked. However, the security and hacking communities have been able to defeat all these measures. Cryptographic experts have long been tinkering with stronger approaches, but it wasn’t until the most recent collaboration that the pieces started falling into place.

Cryptographers have been chasing the idea of a so-called “black box obfuscator” for years. The idea is that any program passed through the black box would be so fundamentally garbled that no one would be able to figure out how it worked or what secrets it might hold — only inputs and outputs would be visible, which is exactly what you want. This method could make communications almost completely secure. All you would need to do is create encryption keys with an obfuscated program, then make that program available to the other party — or everyone for that matter, since no one would be able to figure out the decryption key from examining the obfuscated program.

One member of the team, Amit Sahai worked on a principle known as indistinguishability obfuscation a few years back, which at the time was considered a weak type of obfuscation. It involves passing a program through said obfuscator to disguise the origin. Two programs that do the same thing would be indistinguishable from each other at the end of it. Recent work has pointed to this as a surprisingly powerful cryptographic tool, though. The only problem, an indistinguishability obfuscator didn’t exist — until now.

The obfuscator created by Sahai and his colleagues appears to almost reach the level of broad protection described by the theoretical black box obfuscator. The tool, based on indistinguishability obfuscation, can be used to generate digital signatures, encryption keys, and more without leaking any of the inner workings of applications. It works by splicing random bits of data into the program’s code so that it cannot be extracted in a functional state. However, when run as it is supposed to be, the random junk cancels itself out and you get the desired output.

After creating this obfuscation scheme, the team tried to break it by deploying every tool and hack they could come up with. The result? The obfuscator remains undefeated. The team feels this is as close to unbreakable as encryption gets right now, but it’s possible some future advance in computing or lattice mathematics could result in a breach.

While having access to strong cryptographic tools is certainly desirable, remember that companies and governments use encryption to protect sensitive data and trade secrets too. Breaking the encryption on future electronic devices might not be as easy as it was with DVD or the PS3. The indistinguishability obfuscator is still not ready for real world use, though. Right now it turns efficient little apps into ungainly monstrosities with all that random code inserted. It’s still a very big step for cryptography.

Tagged In

Unless this encryption uses quantum technology, it doesn’t stand a chance against anything the NSA will be using in the future.

powerwiz

We would be a fool to to believe that they do not posses Quantum Computing tech. They announced not to long ago they were investing in it. I take that to mean that they already have it. If you read up on what they have in Oak Ridge its astounding.

Daniel Shepherd

Quantum computers are starting to become a reality with the chips lasting longer and longer in tests they are conducting. Also this encryption, do you think there may be a chance that the Government is going to pay them off to allow a back door or something that will help decrypt the data?

Dustymack

That was my thought as well. Also, The “black box” can scramble and unscramble software right? Why no hack the black box to gain the secret algorithm? Plus, this black box sounds a lot like winrar!!!

Mo Friedrich

Ha-ha. So noone will ever be able to figure out just how many security breaches and backdoors the software company was forced to implement by the NSA. Really great approach for security.

Now imagine malware authors or authors with malicious intent using this.

These sorts of protections have never been good. It have only caused problems for the users.

For instance: slows down a program significantly due to code obfuscation.

Obfuscation in general takes code the compiler have put in a special order and optimized for best performance (to the compilers ability) and reorders it and inserts random do-nothing code. Causing all kinds of problems with performance and even bugs that cause malfunctions. Game copy protections is a good example of this.

Windows operating system’s copy protection have been demonstrated to steal cpu time, lowering the performance of other programs continually. Sometimes it even stays in memory and do not shut down until you restart the computer.

It even happens on pre-activated computers.

Protections should be banned. It doesn’t serve humanity at all. It only serves the greedy who is afraid of losing their money.

That they have stolen, scammed and cheated to get. Overpricing, price-fixing, monopoly, anti-competitive behavior such as patents and licensing, psychological manipulation of customers (eg abusive use of scoring and achievements systems in games, zero day DLC’s), etc, etc

ArchAngel570

Hackers tool kits are always getting better as Security tools get better at catching/detecting/mitigating the hackers. It’s a catch-22. The idea is to be one step ahead as much as possible when it comes to cyber security. Nothing is 100% secure (debatable). But security is always a trade off between user access and ability and protection of assets. I could make code 100% secure but then nobody would have access to it. I could also make a web server 100% but could only do that by cutting off all access to it. It’s up to the companies to find the trade off.

Vidya Wasi

The cat and mouse game is a waste of time, instead of fighting against the evolution. Find a way to work with it. To evolve with it.

As with nature if you refuse to evolve and adapt you will lose permanently. Cheating will only postpone the inevitable.

It is like the social sharing experiment: You have found a chocolate bar. You can keep it for yourself, keep your energy up for a few days or share it equally with the group, only keep your energy up for a few hours at best.

Here’s the problem: Sharing by giving the whole group some energy, could increase the chances of somebody in the group finding more food by which they could share it. Continually keeping the group alive. Chances of you alone finding more food would not be as high.

(There was a reference to some math but I have forgotten it.)

It is the two heads are better than one sort of thing.

James Riendeau

Coming to a Russian malware kit soon. It blows my mind how sophisticated these apps have become to evade detection.

Batman

Security through obscurity never worked. And this sounds like it’ll be only good for DRM and covering up gaping security holes that have no reason or excuse to be there, other than underpaid, uneducated code monkeys. Yea…just cover it with enough shit for anyone to dig through and it’ll be fine for now. Great approach.

chojin999

Useless research from useless overrated indian programmers…

IBM is firing 15,000 people.. this one has to go to.

The whole obfuscation scheme nonsense he and his team designed are a joke.
The description points out that the code becomes unecrypted to be executed.. which means that it’s not a true encryption.

The only secure encryption happens when you have the OS, CPU and hard drives (and other devices too) all encrypted at drivers, firmware/BIOS/microcode levels. Anyone remembers Trusted Computing ?

Scott

Maybe its my own ignorance, but I just dont see how this is possible at all. It seems to me that if you can see three things- a module’s inputs, a module’s outputs, and actual instructions going to the CPU, that you could divine source.